[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)

Mon Dec 10 13:23:12 UTC 2012

** Description changed:

  smtp_cmd_buffer_size is currently 2048 bytes.  2048 bytes is not sufficient for
  clients that send an AUTH with an initial-response for GSSAPI when Windows
  Kerberos tickets are used that contain a PAC -- as of Windows 2003, the maximum
  ticket size is 12000 bytes.

  MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
  2048 limit, since the remainder of the SASL session is handled by auth_get_data
  in Exim, which uses big_buffer and has sufficient space to process large
  Kerberos tickets.

  Thunderbird will always send an AUTH GSSAPI with an initial-response, which
  makes it subject to the 2048 byte limit.  A large Kerberos ticket will easily
  surpass 2048 bytes when base64-encoded, causing the AUTH to fail.

  RFC 4954 recommends 12288 bytes as a line limit to handle AUTH.  For a base64
  encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.

  This bug is fixed upstream (4.77). It would be nice to backport it to
  precise.

  [Impact]
  smtp_cmd_buffer_size is currently 2048 bytes.  2048 bytes is not sufficient for
  clients that send an AUTH with an initial-response for GSSAPI when Windows
  Kerberos tickets are used that contain a PAC. For a base64
  encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
+ Fixing this bug lets us to use exim4 smtp server with AD kerberos authentication and windows clients, so I think it's worth fixing.

  [Test Case]
- 1. Configure exim4 to use GSSAPI auth.
- 2. Configure thunderbird to use GSSAPI smtp auth on windows xp/vista/7/2003/2008.
- 3. Auth will always fail.
+ 1. You need a configured AD/samba4 domain
+ 2. Configure exim4 to use GSSAPI auth (here is dovecot method):
+  - # apt-get instal dovecot-imapd exim4-daemon-heavy
+  - /etc/krb5.keytab should contain 'smtp/fqdn.host.name at YOUR.REALM' credentials (import it somehow), just for test make it readable for all. (chmod 644 /etc/krb5.keytab)
+  - your dovecot config should contain something like this:
+ auth_mechanisms = gssapi
+ auth_default_realm = YOUR.REALM
+ auth_realms = YOUR.REALM
+ auth_gssapi_hostname = fqdn.host.name
+ auth_krb5_keytab = /etc/krb5.keytab
+ service auth {
+   unix_listener auth-client {
+     mode = 0600
+     user = Debian-exim
+   }
+  - your exim's 'begin authenticators' section of the config should contain something like:
+ auth_gssapi:
+     driver			= dovecot
+     public_name			= GSSAPI
+     server_socket		= /var/run/dovecot/auth-client
+     server_set_id		= $auth1
+ 3. Configure thunderbird to use GSSAPI smtp auth on windows xp/vista/7/2003/2008 (member of your AD domain).
+  - install thunderbird or use thunderbird portable
+  - configure any (e.g. it could be nonexisting at all) IMAP/POP mail account in thunderbird (using some domain member account)
+  - in account settings set authentication address/port to your exim server, username to your domain username, auth method to 'Kerberos/GSSAPI'
+ 4. Try to send mail. Auth will always fail. In exim's log there will be messages like these:
+ 2012-12-09 00:04:46 SMTP syntax error in "AUTH GSSAPI YIIGSQYJKoZIhvcSAQICAQBuggY4MIIGNKADAgEFoQMCAQ6iBwMFACAAAACjggS+YYIEujCCBLagAwIBBaELGwlURUxST1MuUlWiJzAloAMCAQKhHjAcGwRzbXRwGxR1dG1wMTJ0ZXN0LnRlbHJvcy5ydaOCBHcwggRzoAMCARehAwIBAqKCBGUEggRhI5eKDsWe+sqexT9BL5+35Gp7+IkML3W1YrbzW9H1yQyx1RzyFZkav6JcFgRf2E9QqXJv5qIl93+hBEN6K1skn0mmJeXCMd7FHQ/QJZwBTXY74z5mBVyJimPn9wmQrj8KD8+643hAjKTwCTmSoP32pH93vNudW39jjYxYWWagck9DieynL61W+QpXHIIwE95K2nVvUB2LzmL9L2czfRAe1uxegnZG4iLrAW7loJfB9S3q1sU7hU5t1e4rOxEs6iYCejSn0nq/So36xFBYdrWb6xD+VfrX14FJ3ypZN6pbTcTKQFpmfVasKt7SXK6rrcDAM5M9OagE5Tc4JlJh2ojDlSRuflDdOHYga3BGwIlS6OqsEQrPbt7LcBPiyjGAb9iqojn/ZZmKR7YaDbsTu1ToxJFGzkf7RU1fBVHL73r5RiT+rEjELOjWOQZZ4nAd2ppwQUq/cKW2k2xHsODU7i2PzM5CvbSkiaV8/EmfiQoY0Q8al5y/5bqu++GLkXBla03vm2uhm/pW+JuvrcK39dkXijSBfTCAlN6nYuCHUA7vI4VeRV2pTAg9EM/rf+G8CMrMtB54P1lnAiXVkuayFLTFQYz6hjkGKetSi0XLLMS3W0Qi7jK6jc7BpleNfJ6pMjhxAa7t2sJ+Gtu8eQpICnT/PWxlSNOsUB8yVzrB2htB39B+r5XDRbYP4OsINffW4SrF1nG7/uyMxTFh3jSpX6vJ0qZPZHy9dskxjTQymE6GM9SVqZsORen+vUaADp8DIfXUxcRFokyszhmovYPsu3lKR7mwmy39q+Z2AKDatvpkf/CMtCQCqwtVXWx7bg8aJb2KMbPmVVbf15PuXhRK4iypgY8KvDi4Y+uVgdYld4PnvFlH4tUp4pqkWvZBPIYDDGDhvIWKZFnx0Kl3ETQrZ/49XRG0/we81QuH8dpzQSKjzjS2dsAIkNDzG5Z/Qg1yBQbjS0zGNS0EY0I/Qi+vQtp+kAPMikZtvulDL/kyPAvjH8q3sv2XUdhfV1c4+8mLD1gof7JgOLQ+bxXcNcjWnLqXsY2hfV1HNSd+FBkMc3ubPrMxzCVIW86p4Me+CuAI46k43Pror3bgROP2WRWZmFTKRq879dS85PkOJfCDK0jOJEZOZW+Y5nAPAqITXhTbAJzH14LhiGyjUascTdqgJW5rqm16hcINDYYwZZYZgiIbb7CDUdPi0ti8uq7U0dWhhGG2rJAi5zWQtghXL/Ottd6dDIyR54BzcD3nAnAxfeBtOo1wZfd1lebF0kKE3vO+UmwJ1QHRRKNKQmv+XicII75B8YM3pHC2YXwpZRYCgEvSjqHMoT8fp3VEDGgUaGYAP+nSlP0+6zfI7AQdRVQ4nHbz5tBzJEQeJ67Kl9DRqGapfDbiUtGh+Da2Nd354eG4kiBXRJc8EZ50+/hLlWWWqmhDBJfVFg/qxeVB1DCx1IABMm0vTBlWCfV8V42S2Yzuk0wxTzEr++Vq6MtEI3I/zfsix/ykggFbMIIBV6ADAgEXooIBTgSCAUowRsO1Lr+r/PfELwWhCABk8wMxMYFOEOC1p68G1N4zCAOOKTy7vEE8K36abJ1XlF+DmT4bYZ0pGMA/5ffq8ntBk5B83RsKfN3Pgbxwxn3yg22Bx3RLzjYRu22exuJ91SixBWzV+YAlzcTsrYKgMvxfaMbHeC50gBrV0/7r1a3DJSZ3f6uMFwpb/vfHUSTxRnj/nESwTrxr7QB/aVl1/gu75xLRCUE91d0+a5EN2650sSCN126XAcTG+ySQldWo2SpdIobYPALOhGgSeNL23/7HMDFDMlk0lyiBunv3qFycUdOq+cW/2MO6j9lhXGUcaGm3tyRU" H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
+ 2012-12-09 00:04:46 SMTP syntax error in "3LbXXOLpS9xBClRbWZIYQ7iQ7UkbwPqZ+715Afyj1HfFLTQGDB7pvPj6w/0QwmzpKIuJ1hyE7TAwn7GCdQYlP4p3dFLgwQttuD30zASNrjx4q/mEvA=" H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
+ 5. Same time dovecot imap/pop3 gssapi auth works fine. Installing exim from quantal to precise fixes this bug.

  [Regression Potential]
- The fix for this bug is one-line-patch applied to upstream (4.77) more than year ago, so it already has got sufficient testing.
+ The fix for this bug is one-line-patch applied to upstream (4.77) more than year ago, so it already has got sufficient testing. Quantal and raring already contains fixed version (we use the version from quantal installed to precise in production).

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1088136

Title:
  AUTH cannot handle a request with an initial-response over 2048 bytes
  (GSSAPI-related)

To manage notifications about this bug go to:
https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions